Problem with VPN 3030 connecting remote devices that receive their public I
I am trying to set up a VPN 3030 that will be accessed by remote devices(routers) that receive their public IP address via DHCP. The Cisco document "ID 46002" was followed when setting this up.This document may be found at.
The inital set up with one remote device with a Security Association (SA) to the VPN 3030 (base group) using pre shared keys was succesfull. The pre shared keys were then replaced with digital certificates which also was successful.
The issue came when trying to connect a second remote device to the VPN 3030 (base group). When the second device connected and established its SA, the VPN 3030 issues a disconnect packet to the first device (or established SA).
When looking at the VPN 3030 logs with all IKE and IPSEC debugging enabled, it showed the VPN 3030 processes to create and send the disconnect message to the remote device.
To try and get around this problem, I then created on the VPN 3030 separate groups (group1 & group2) for each remote device and setup a filter tying each remote device and its digital certificate to a particular group (i.e. remote device 1 will only connect to the VPN 3030 group1 and remote device 2 will only connect to the vpn 3030 group2). Unfortunately the same problem still occured (established SA disconnected when second SA is established) although the remote devices were connecting to different groups configured in the VPN 3030.
Thinking there may be a problem using Digital Certificates, I then configured the second group to use pre shared keys, but again the same problem still persisted.
I could not find any reference to any limitation on the number of remote devices that receive their IP addresses via DHCP that can connect to the VPN 3030, I just hope that it is more than one.
If anyone has any ideas or knowledge of this I would greatly appreciate their input.
Re: Problem with VPN 3030 connecting remote devices that receive
Yes the remote routers are behind a NAT gateway. Am unable to use EasyVPN as the remote routers are other vendors kit.
I have enabled NAT-T etc but to no avail. It looks like the problem could be caused by the NAT-T limitiation of the vpn3000 as you mentioned.
Earlier release note (e.g. 3.6.8) state "Because NAT-T depends on UDP port 4500 being available, if a previous IPSec/UDP configuration is already using that port, you must reconfigure that earlier IPSec/UDP configuration to use a different UDP port".
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :